Suddenly RADIUS authentication is gone on macOS server (TLS session fails)

Question

Suddenly my RADIUS authentication is gone on my MacOS Server running 10.13.6 and Server Version 5.6.1 (17S2109.

I already restored the Open Directory Server.

$ host name.domain.tld
name.domain.tld has address xxx.xxx.xxx.xxx
host xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx.in-addr.arpa domain name pointer name.domain.tld.
$ kinit account
account@name.domain.tld's password: 
kinit: krb5_get_init_creds: Client (account@name.domain.tld) unknown
$ klist
klist: krb5_cc_get_principal: No credentials cache file found
$ sudo slaptest -f /private/etc/openldap/slapd.conf -v
Password:
5c5fd38c bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
config file testing succeeded

When trying to replace the preinstalled RADIUS with FreeRADIUS following Apple's documentation:

Run the following command: ls /usr/local/lib/rlm_opendirectory.* You should see the following in the output:

• rlm_opendirectory.a

• rlm_opendirectory.dylib

• rlm_opendirectory.la

Nothing is found or present in the specified directory.

And neither are the files found in

ls /usr/local/Cellar/freeradius-server/3.0.17/lib/rlm_opendirectory.*

where the brew installation of FreeRADIUS is.

While checking Admin Tool Radius' Radius LOG I get:

Sun Feb 10 00:02:40 2019 : Error: TLS Alert read:warning:close notify
Sun Feb 10 00:02:40 2019 : Error:     TLS_accept: failed in SSLv3 read client key exchange A
Sun Feb 10 00:02:40 2019 : Error: rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Sun Feb 10 00:02:40 2019 : Error: SSL: SSL_read failed in a system call (-1), TLS session fails.
Sun Feb 10 00:02:40 2019 : Auth: Login incorrect (TLS Alert read:warning:close notify): [someone/<via Auth-Type = EAP>] (from client some_client port 0 cli xx-xx-xx-xx-xx-xx)

Is there a way to troubleshoot or should I erase the system and rebuild the server?

Thanks in advance!

UPDATE

I went on with the installation of FreeRADIUS but cannot finish, since the rlm_opendirectory.* files are nowhere to be found/are not generates or whatever ...

They don't exist even in Time Machine backups of my system, but since RADIUS was up and running until yesterday, the opendirectory library files should be somewhere! Or?

I really hope someone can help out!

Just curious, but did your macOS version get updated to 5.7.x by any chance? — tegbains, Feb 10 '19 at 18:31
Thanks for your reply. No, server is still 5.6.1., but FreeRADIUS should install nevertheless. — SEJU, Feb 10 '19 at 19:52

score 0 · Accepted Answer · answered Apr 03 '19 at 08:39

I solved it. The main problem was that somehow my certificate stopped working. I issued a new one and used that.

I also switched to FreeRadius, which I would not have done, but since I started ad upgraded the system I went through. In order to get the OD driver complied I had to edit the formula and reinstall:

$ brew edit freeradius-server
add: --enable-developer=yes
save the formula
$ brew reinstall -s freeradius-server

Suddenly RADIUS authentication is gone on macOS server (TLS session fails)

1 Answers1